-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
whitelist script tag inserted for test file loaded assertion using nonce #88
whitelist script tag inserted for test file loaded assertion using nonce #88
Conversation
This adds a nonce to <script> tag inserted by ember-cli for assertion that test file was loaded. Otherwise this violates default CSP in tests. Nonce is always present in CSP header but only part of CSP meta tag injected into `tests/index.html`. A nonce used in productive applications must be cryptographically random. But since this one is only used in local development and if executing tests, using a static string is fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't used this addon in tests much, so I cannot really vouch for whether this will work or not.
But what you describe makes sense in theory.
Two small comments below!
@@ -109,6 +111,10 @@ module.exports = { | |||
return; | |||
} | |||
|
|||
if (policyObject) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For clarity, how about checking for options.environment === 'test'
here too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually this needs to be applied also for options.environment === 'development'
cause tests may be executed by http://localhost:4200/tests
. In that case option.environment
is true. So would end up checking the request target also...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jelhan Alright, I haven't used http://localhost:4200/tests
and I believe you, but it sounds weird that they aren't running under the test environment. Is that by design?
Anyway, perhaps we could test for both then?
options.environment === 'test' && options.environment === 'development'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a complex topic for http://localhost:4200/tests
and server middleware. The tests are running under test environment but the middleware is running under the environment used to start the server. So if we want to make sure that the nonce is only present in headers for testing we would end up with a check like this:
options.environment === 'test' || req.path === '/tests'
To be honest I haven't checked if ember test --server
runs middleware with test
environment but I expect it to do so.
But I don't see a big issue in having that nonce present always in request headers. They don't influence build result but only used for development server (ember serve
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have done some quick tests and it seems like serverMiddleware
hook is not executed if running ember test --server
. CSP headers are not present at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jelhan Got it, makes sense! I know the test server is only running under development and won't affect builds. I'm just thinking that making that clear in the if-statement will make it easier to reason about the code.
But you could also add a comment instead, something like:
// the local server will never run for production builds, so no danger in adding the nonce all the time
(I still would have gone with an if-statement, but I don't have a strong opinion on this)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Steps to check this feature:
You will notice two CSP violations reported:
The first one should be fixed by this PR, the second one is addressed by qunitjs/qunit#1369. |
@jelhan Seems like some of the tests failed, would you like to have a look at it? https://travis-ci.com/rwjblue/ember-cli-content-security-policy/jobs/178664703 You can try to just force-push to re-trigger another test-run, sometimes it's because of timeouts. @rwjblue I don't have any additional comments on this PR (in addition to those above). In my opinion it's mostly good to merge. But happy to hear your thoughts before I do anything. |
I don't think that issue for |
@@ -98,6 +100,8 @@ module.exports = { | |||
var options = config.options; | |||
var project = options.project; | |||
|
|||
console.log(options.environment); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whooops, I missed this before I merged!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Arghs and I missed that I committed that one with the last inline comment. I'm very sorry about that. Do you want me to open a PR to remove it or are you doing it yourself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
index.js
is not covered by ESLint 😭
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sandstrom Thanks a lot. I'm really sorry for the churn.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jelhan No worries, thanks for making this code better! 😄
This has been fixed upstream by rwjblue/ember-cli-content-security-policy#88 and is part of ember-cli-content-security-policy@1.1.1 release.
This adds a nonce to <script> tag inserted by ember-cli for assertion that test file was loaded. Otherwise this violates default CSP in tests.
Nonce is always present in CSP header but only part of CSP meta tag injected into
tests/index.html
.A nonce used in productive applications must be cryptographically random. But since this one is only used in local development and if executing tests, using a static string is fine.